Analysis and opinion by Christopher Soghoian, security and privacy researcher.

Monday, January 04, 2010

Who is Neustar?

Brad Stone at the New York Times reports on an industry group working on a new platform for portable digital movie downloads:

The [Digital Entertainment Content Ecosystem or DECE] is setting out to create a common digital standard that would let consumers buy or rent a digital video once and then play it on any device... Under the proposed system, proof of digital purchases would be stored online in a so-called rights locker, and consumers would be permitted to play the movies they bought or rented on any DECE-compatible device.

[DECE is] selecting Neustar, a company based in Sterling, Va., to create the online hub that will store records of people’s digital purchases, with their permission.

Most consumers have likely never heard of Neustar, yet the firm plays an important role in the telecommunications industry, and has built a highly profitable business faciliating the disclosure of information regarding consumers' communications to law enforcement and intelligence agencies.

The company created and operates the Number Portability Administration Center (NPAC), which enables US and Canadian consumers to keep their phone number when they switch carriers. Each time a consumer attempts to transfer their number from one phone company to another, Neustar is involved, and thus, it has a database of every one of these transfers.

Neustar also provides law enforcement agencies with a web-based front-end (as well as an API) to access to this database, enabling government agents to instantly determine which telecommunications company any particular phone number is assigned to. In a typical investigation, before law enforcement or intelligence agencies can obtain a suspect's call records, they must first contact Neustar in order to figure out which phone company he or she is using.

How many times a year does Neustar hand over information on individuals to law enforcement and intelligence agencies? Who knows. The company is not required to disclose this by law, and (as far as I know), has not disclosed any statistics to the general public.

Savvy criminals stop at nothing to cover their tracks - including switching telephone carriers repeatedly. Fortunately, law enforcement professionals can now arm themselves with a powerful weapon against the most elusive perpetrators.

Neustar's Local Number Portability Enhanced Analytical Platform (LEAP) gives LEAs information about recent telephone number porting activity, so you're on the case faster than ever before. Whether your investigations involve pen registers, trap-and-trace, Title III wiretaps or Title 50 wiretaps, LEAP from Neustar puts you in control - and keeps perpetrators within reach.

Neustar also offers a turn-key service for firms that wish to outsource their own legal compliance departments. Telecos and ISPs that don't want to dedicate the manpower to dealing with wiretap, intercept and other surveillance requests from law enforcement and intelligence agencies can pay Neustar to do it for them. The company even has a fancy sales brochure describing the service in detail.

Who better to manage that legal compliance unit than Joel M. Margolis, a former Department of Justice/Drug Enforcement Administration attorney, who up until 2008, "served as DEA's legal representative on Department of Justice working groups responsible for matters of telecommunications legislation and regulation" and previously "advised [the] Federal Bureau of Investigation on the implementation of the CALEA (lawful surveillance) statute."

(The practice of hiring a former DOJ attorney to manage the group within a company responsible for receiving and responding to law enforcement and intelligence agency requests is actually rather common. Google, Microsoft, and MySpace have made similar hires.)

Back in October of 2009, I attended a surveillance industry conference in Washington DC, and taped several of the panels. One of the panel recordings already lead to headlines just one month ago, regarding comments made by a Sprint employee discussing the extent of the firm's disclosure of customer GPS data to law enforcement agencies.

At the same conference, Mr. Margolis spoke on a panel discussing the methods by which law enforcement and intelligence agencies can compel Internet and telecom companies into using already deployed Deep Packet Inspection technology for intercepts. While I took down my copy of the audio recordings in response to a request from the conference organizers, the Electronic Frontier Foundation continues to mirror them here. Mr Margolis' comments are enlightening -- and highly recommended for anyone interested in surveillance and privacy related issues.

Something to consider

The main reason I highlight all this information regarding Neustar's various products and services is that I believe that privacy, and in particular, law enforcement access to consumer video purchase records, should be part of any serious debate regarding the Digital Entertainment Content Ecosystem.

To be clear - I have no reason to suspect that Neustar has done anything improper or illegal, and I am confident that the firm's lawyers know CALEA, Title III and the Patriot Act inside out.

However, I am concerned about the fact that Neustar has already built a business around faciliating law enforcement and intelligence agency access to consumer data (both the phone number portability data held by the firm, and its outsourced legal compliance unit), and that I am not sure if consumers should be dependent on a firm of this type to protect their highly confidential video purchase and rental records.

As a technologist concerned about privacy, I'm really not keen on the idea of any firm which provides an easy to use API to law enfordcement agencies holding any of my private data, particularly one which does not disclose any information on the number of law enforcement requests it receives, responds to, and more importantly, rejects and fights in court.

Because of the complete lack of statistical and other information regarding Neustar's disclosures to the government, consumers have no way of knowing how often, if ever, Mr. Margolis says no to his former colleagues at the US Department of Justice.

Will the movie studios and other entertainment companies disclose to consumers that they will provide detailed records for each individual's movie purchases to a company that pledges to put "[the police] in control - and keeps perpetrators within reach"?

I doubt it.

Disclaimer: These are my own personal views, and do not reflect those of any other individual or organization with which I am affiliated.

4 comments:

Anonymous
said...

I'm glad to hear someone else is finally catching on. Here are some major PRIVACY issues that i lose sleep over. I've tried to figure out how this can be legal, I'm just not educated enough. I hope you will be the light at the end of my frustrated, every right to be "slightly paranoid" tunnel. HERES what I know.

NeuStar Interface Being Added to Pen-Link 8.1 - Thursday, June 12, 2008 If you use Pen-Link, chances are you also use NeuStar. Many of you told us that it would be convenient if we could make an interface between Pen-Link and NeuStar. Makes sense to us! You'll be happy to learn that we're building an online interface to NeuStar's LEAP service into Pen-Link 8.1.

Have No Fear, Xnet is Here! - Wednesday, December 17, 2008Do you communicate only by phone? No way! Sure, phones are widely used. But if someone investigated your communications, looking only at your phones, then how much of your communications would they miss? Internet communications are on the rise across the world. Email, instant messaging, Usenet, peer-to-peer networks, blogs, web-based services, web cams and video conferencing are just some of the ways IP communications are used on a daily basis. And guess what? Criminals use all of these forms of IP communications! Are you well equipped to deal with these advances in communications? You can be, with Pen-Link Xnet!Mike Murman Elected to Board of Jeffrey S. Raikes School - Wednesday, October 15, 2008Pen-Link’s Chairman and Founder, Mike Murman, has been elected to the University of Nebraska-Lincoln’s Jeffrey S. Raikes School of Computer Science and Management Corporate Executive Board. Previously the J.D. Edwards Honors Program, the Jeffrey S. Raikes School is a one-of-a-kind program in the United States combining computer science and business management education for only the highest caliber of students in the country.

Currently Supported U.S. and International Standards - Friday, August 17, 2007Pen-Link / LINCOLN supports the following standards for delivery and collection of telephone and Internet intercept data and content. Supported call data transport methods include IP, X.25, and FSK. Supported call content transport methods include analog (POTS), T1, E1, ISDN, BRI/PRI, and IP. Support for new standards are added as they are implemented by carriers. The addition of new standards is included in system maintenance.

read more ...

Pen-Link Recognized for Export Achievements - Friday, October 27, 2006Lincoln, NE - Congressman Jeff Fortenberry (R), and Al Frink, Assistant Secretary for Manufacturing and Services, visited the headquarters of Pen-Link, Ltd. in Lincoln, NE to present Mike Murman, President with the Commercial Service Export Achievement Certificate. The Export Achievement Award recognizes companies that have exported and grown their international business with the aid of the U.S. Commercial Service.

VoIP Service Providers Must Comply with CALEA - Friday, July 21, 2006A recent ruling by the FCC (FCC 05-153, In the Matter of: Communications Assistance for Law Enforcement Act and Broadband Access and Services) determined that VoIP Service Providers are required to provide access to law enforcement agencies for the purposes of lawful interception.

MOUNTAIN VIEW, Calif.—June 13, 2006— Narus, Inc. today announced a strategic agreement with Pen-Link Ltd. to market Narus, Inc’s NarusInsight® Intercept Suite (NIS) software in conjunction with Pen-Link’s LINCOLN® 2 product collection and reporting solution. These combined best-of-breed technologies will provide the industry’s first lawful intercept solution that is fully compliant with the CALEA T1.678 VoIP standard in the US, as well as the European ETSI TS 102 232/233/234 standards for Internet access and e-mail.SS8 Networks Partners with Pen-Link - Monday, February 13, 2006Partnership combines best-in-class Lawful Intercept platforms to simplify purchase, installation and support of regulatory-compliant implementations

BARCELONA (3GSM WORLD CONGRESS 2006) - FEBRUARY 13, 2006 - SS8 Networks, the leading provider of Lawful Intercept solutions for telecommunications service providers, today announced a global marketing, distribution and support agreement with Pen-Link, Ltd. of Lincoln, Nebraska.

:: Pen-Link Messaging System ::You may be familiar with MSN or Yahoo Messenger, but you may not realize Pen-Link has its own messaging system called Pen-Link Messenger Service...:: Timeline Chart for Calls! ::Pen-Link 8 has a new chart: the Call Association Chart! This chart allows you to view call activity based on the timeline features...

UPDATES :: Pen-Link 8.1 Update ::Version 8.1.36.0 :: August 17,2009

have a nice day, and don't forget to take the battery out of your phone if u don't feel like being followed. JMTD

I read this paranoia over movie rentals etc, but i dont understand your concern

Not to belittle the matter: but its movies we are talking about, movies from credible producers. so if a law enforcement sees what a suspected criminal "purchased", where is the harm?

Secondly, if there an alternative way to handle DRM across geographies and devices? Please suggest if you have ideas. Otherwise to me this approach is very reasonable and could possibly be the future of content ownership that is really seamless.

Christopher Soghoian, Ph.D. is a Washington, DC based privacy and security researcher. He is the Principal Technologist in the Speech, Privacy and Technology Project at the American Civil Liberties Union.